A critical remote code execution (RCE) vulnerability identified as CVE-2023-3519 has been the subject of several attacks, which have already compromised and backdoored hundreds of Citrix Netscaler ADC and Gateway servers.
Attackers used web shells on at least 640 Citrix servers in these attacks, according to security experts from the Shadowserver Foundation, a nonprofit organization focused on advancing internet security.
Previously, the vulnerability was used as a zero-day attack on the network of a critical infrastructure organization in the United States.
“We can say it’s fairly standard China Chopper, but we do not want to disclose more under the circumstances.
I can say the amount we detect is much lower than the amount we believe to be out there, unfortunately,” Shadowserver CEO Piotr Kijewski said.
”We report on compromised appliances with webshells in your network (640 for 2023-07-30).
We are aware of widespread exploitation happening July 20th already,” Shadowserver said on their public mailing list.
“If you did not patch by then please assume compromise. We believe the actual amount of CVE-2023-3519 related web shells to be much higher than 640.”
Around 15,000 Citrix appliances were CVE-2023-3519 attack-vulnerable as of around two weeks ago.